Cybersecurity incident involving Canvas

The University has been advised of a global cybersecurity incident affecting the Canvas learning management system used by our staff and students, and in 9,000 educational systems around the world.

The incident relates to Canvas data held by a third party, Instructure, and used within our learning environments and involves unauthorised access by a malicious actor.

Our cybersecurity team is working with Instructure to understand any impacts resulting from this breach. Instructure has advised this may include names, email addresses, student ID numbers and Canvas Inbox and Discussion messages of past and current users. At this stage, no data has been released publicly.

There is no suggestion that any student assessment data is affected, or passwords and single sign-on credentials. Instructure also advises that there is no indication that dates of birth, government identifiers, or financial information were involved in the breach.

The University understands this news may be unsettling, and is actively taking precautions to keep our applications secure.

Phishing is the most likely consequence if it is confirmed University data has been accessed.

Currently, no action is required from staff or students. As a precaution, the University recommends:

• Being cautious of unexpected emails or messages, especially those asking for personal information or prompting urgent action
• Not clicking unfamiliar links or opening unexpected attachments
• Reporting any suspicious messages as follows:
  • Staff report via the IT Service Portal
  • Students report via the Student IT Hub, either online or in person

We will provide updates on this page as more information is confirmed.

Guidance is also available from the government website Own Your Online:

• Scams and fraud
• What is phishing?